Observations of a Digitally Enlightened Mind

Vulnerability Assessment best practice: randomize scanning times…

If you can determine a pattern you can bypass it. Organizations that randomize scan times are more likely to catch those who want to subvert the scanners.

Most organizations schedule VA assessment scans to run at regularly scheduled times; every Friday at 1 a.m., first Thursday of the month, every patch Tuesday at noon or continuously but in a limited mode. Generally this is done to control the impact on the end-points; unfortunately this allows folks who want to, to bypass the audit. The problem is that if a scan pattern can be determined it can be bypassed.

Couple of quick examples: In 2000 I was working in the engineering dept. at the company formerly known as Network Associates; the IT group would scan the engineering network at a regularly scheduled, easily determined time., we had some rogue servers we used (for internal fun only), since we knew when IT would scan us (we had network sniffers) we simply hid the servers from the scanners view. They never caught us, but if they had scanned us at random dates/times they would have (although we could of taken sniffer output, looked for specific traffic patterns and then triggered a script to shut down services on key servers, but it really wasn’t that important). A colleague told me of a similar story; he was performing a penetration test and was able to gain access through a fairly insecure Solaris box. When he provided the results to the company they questioned his results and gave him a copy of a VA scan that showed no Solaris boxes on their network. Turns out one of the IT guys was trying to learn UNIX, placed a Solaris box in his office and opened up a hole in the firewall to practice from home…he would turn the server off early in the morning when the company would perform their audits.

I used to commute to San Francisco on BART (Bay Area Rapid Transit) our train system here in the Bay Area. You could pay $60/month for special parking near the entrance or you could park like a mile away in a dirt patch, it was a long, muddy, walk on those cold, rainy mornings. I wondered if the parking enforcement people had a pattern. So I gave myself 30 days to try to determine it, and allowed for a certain amount of tickets. Well a pattern emerged and I could of parked in the paid parking without a permit and never receive a ticket, you know if I wanted to.

In the spring of 2002 a couple of students were able to create a mathematical algorithm to prove that deterministic passenger screening used by CAPS (Computer Assisted Passenger Screening System) would be easily defeated. In essence they were able to show that since CAPS uses profiles to select passengers for increased scrutiny, it is actually less secure than systems that employ random searches. The reason is that terrorists could determine the pattern and alter their profiles.

So if you perform vulnerability assessments randomize the scan time, if you run a continuous VA solution then add some “jitter” to the scanning. That being said the number 1 vulnerability assessment best practice is to ACT ON THE DATA….oh, and wear sunscreen.